The T-Mobile prepaid SIM makes it possible to pay for new service from the phone itself. This requires the phone to be able to connect to T-Mobile's network to do so, essentially blocking access to the rest of the Internet through a capture portal until the account is activated. But Ajit found that the Speedtest mobile app worked even when the phone's data plan hadn't been activated—likely as a marketing tool to demonstrate the speed of T-Mobile's 4G network.

By capturing some of the data sent to Speedtest when connected to a shared network connection through his Mac (he used mitmproxy to do so), Ajit discovered the graphics used in the Speedtest app to measure download speed were hosted on a number of different sites. The only similarity in them was their Web addresses all included "/speedtest" in the URL. He manually entered the URLs into a browser on the phone and was able to reach them despite the T-Mobile block.

Ajit set up media at Web addresses with /speedtest in their URL. The browser was able to reach them. Taking his finding to its conclusion, he set up a simple Web proxy on a remote server using Glype, again using the /speedtest directory in his URL... and it worked. Ajit had full access to the Web without activating the phone.

Ajit has since taken down the proxy. Ars attempted to contact T-Mobile for comment on Ajit's findings, which he said he has reported to the company. T-Mobile did not respond to requests for comment.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

Really impressive that he tinkered with it, proved it, took it down, and sent the findings in to the group (T-Mobile) that would have lost (if you consider it losing out on its part, which, in capitalism, I suppose you could/would) out had the kid just spread the word on reddit or something, or even kept it to himself. Now we get a story about a cool, young tester instead of a kid being accused of some tier of theft by a phone company.

So let me ask: the kid discovered how to get net access. How did this come to the news? Did the kid himself published it? Or someone else found it?

Because the kid could have been a modern Joybubbles: having a secret sauce that allows him to browse free of charge. As a kid, i would have kept the secret to myself. Hell, as a grownup i'd still probably keep the secret to myself.

Really impressive that he tinkered with it, proved it, took it down, and sent the findings in to the group (T-Mobile) that would have lost (if you consider it losing out on its part, which, in capitalism, I suppose you could/would) out had the kid just spread the word on reddit or something, or even kept it to himself. Now we get a story about a cool, young tester instead of a kid being accused of some tier of theft by a phone company.

Really impressive that he tinkered with it, proved it, took it down, and sent the findings in to the group (T-Mobile) that would have lost (if you consider it losing out on its part, which, in capitalism, I suppose you could/would) out had the kid just spread the word on reddit or something, or even kept it to himself. Now we get a story about a cool, young tester instead of a kid being accused of some tier of theft by a phone company.

Can someone explain what purpose testing your speed would be if you can't even use it?

The best theory I've heard is that because of their desire to fake the speed test's results, they placed the QoS rule for the test far, far ahead of anything else on their network, causing requests to skip being checked for billing status.

The story of how somebody's half-assed regex 'solution' ended up becoming the sole line of defense against wholesale theft of service is probably the stuff of which really, really, boring(but highly believable) legends are made.

For the sake of my confidence in humanity, I'm going to assume that it wasn't a one-step process; and that one person's quickie hack was unwittingly promoted to production; rather than a single person actually thinking that this was a good idea.

Ah, kids. So clever, but so ignorant. Nobody knows his odds for escaping prosecution! Only time will tell.

I wonder if he knew the risk of informing them as he did..? If he wanted to "be helpful" he would have remained anonymous as he reported this. Instead he's shooting for internet fame and potential jail time.

For the sake of my confidence in humanity, I'm going to assume that it wasn't a one-step process; and that one person's quickie hack was unwittingly promoted to production; rather than a single person actually thinking that this was a good idea.

Ah, kids. So clever, but so ignorant. Nobody knows his odds for escaping prosecution! Only time will tell.

I wonder if he knew the risk of informing them as he did..? If he wanted to "be helpful" he would have remained anonymous as he reported this. Instead he's shooting for internet fame and potential jail time.

Never underestimate the ability of a teenager to crack security. I remember back in High School one kid found a way to bypass both the state set and school set filters. It took about five minutes to actually get to the open access browser though. And our school's IT guy had it blocked by the next day.

Never underestimate the ability of a teenager to crack security. I remember back in High School one kid found a way to bypass both the state set and school set filters. It took about five minutes to actually get to the open access browser though. And our school's IT guy had it blocked by the next day.

And the next day, he got around it again? That's how it was at my school. Then again, we didn't really have much of an IT department...I was almost hired as part of it because I kept opening such holes

Never underestimate the ability of a teenager to crack security. I remember back in High School one kid found a way to bypass both the state set and school set filters. It took about five minutes to actually get to the open access browser though. And our school's IT guy had it blocked by the next day.

And the next day, he got around it again? That's how it was at my school. Then again, we didn't really have much of an IT department...I was almost hired as part of it because I kept opening such holes

Nah. We had a one guy IT team. He sat in the server room all day doing who knows what sort of mysticism to keep everything running. The kid that found it would sit in the library all day just going to every directory he could, trying to run anything he could. So from what I could tell, the IT guy just fixed anything the kid broke then made it so it be harder to break. Basically he was using the kid as a one man chaos monkey.

Agreed. But Mr. Ajit has a long-ass way to go to repair the damage that Other Ajit has done. If you happen to be in midtown D.C. at 4:30 AM, and your BAC is tweaked just right, you can hear the squealing cries of the thousand babies the Other Ajit killed, drifting down from somewhere beyond the metropolitan-pink night sky, generally from the direct of the Ophiuchus Sagittarius constellation, or a Geminid meteor shower, if one is handy.

Never underestimate the ability of a teenager to crack security. I remember back in High School one kid found a way to bypass both the state set and school set filters. It took about five minutes to actually get to the open access browser though. And our school's IT guy had it blocked by the next day.

And the next day, he got around it again? That's how it was at my school. Then again, we didn't really have much of an IT department...I was almost hired as part of it because I kept opening such holes

Nah. We had a one guy IT team. He sat in the server room all day doing who knows what sort of mysticism to keep everything running. The kid that found it would sit in the library all day just going to every directory he could, trying to run anything he could. So from what I could tell, the IT guy just fixed anything the kid broke then made it so it be harder to break. Basically he was using the kid as a one man chaos monkey.

When I was in high school a couple years ago, you could get perfectly unfiltered internet by opening Photoshop and going to the help menu (which for some reason featured a browser) and changing the url to twitter or facebook (for example, both were blocked) and just browing "through" photoshop. I have no idea to this day how it worked xD

Never underestimate the ability of a teenager to crack security. I remember back in High School one kid found a way to bypass both the state set and school set filters. It took about five minutes to actually get to the open access browser though. And our school's IT guy had it blocked by the next day.

And the next day, he got around it again? That's how it was at my school. Then again, we didn't really have much of an IT department...I was almost hired as part of it because I kept opening such holes

Nah. We had a one guy IT team. He sat in the server room all day doing who knows what sort of mysticism to keep everything running. The kid that found it would sit in the library all day just going to every directory he could, trying to run anything he could. So from what I could tell, the IT guy just fixed anything the kid broke then made it so it be harder to break. Basically he was using the kid as a one man chaos monkey.

In my day the IT guy was called "mommy.com" (who remembers that?) and the way to bypass it was to type your URL into a browser window instead of into IE.

Never underestimate the ability of a teenager to crack security. I remember back in High School one kid found a way to bypass both the state set and school set filters. It took about five minutes to actually get to the open access browser though. And our school's IT guy had it blocked by the next day.

And the next day, he got around it again? That's how it was at my school. Then again, we didn't really have much of an IT department...I was almost hired as part of it because I kept opening such holes

Nah. We had a one guy IT team. He sat in the server room all day doing who knows what sort of mysticism to keep everything running. The kid that found it would sit in the library all day just going to every directory he could, trying to run anything he could. So from what I could tell, the IT guy just fixed anything the kid broke then made it so it be harder to break. Basically he was using the kid as a one man chaos monkey.

Many of my works never got patched (at least, while I was there), including cracking the wireless password, gaining admin access to all the Macs on site, and gaining completely unfiltered web access via an SSH tunnel to my home. (Yeah, not particularly inventive solutions on my part, but IT never really made being creative all that necessary, the most they did was blacklist proxy websites.)

According to the rumor mill, I was also capable of changing people's grades. Not sure where that one came from. Though, ironically, I did end up working at a software company for a few years that may have been the provider of the software used to manage all that, and I might be able to now (assuming they haven't closed the backdoor used for support).

Never underestimate the ability of a teenager to crack security. I remember back in High School one kid found a way to bypass both the state set and school set filters. It took about five minutes to actually get to the open access browser though. And our school's IT guy had it blocked by the next day.

And the next day, he got around it again? That's how it was at my school. Then again, we didn't really have much of an IT department...I was almost hired as part of it because I kept opening such holes

Nah. We had a one guy IT team. He sat in the server room all day doing who knows what sort of mysticism to keep everything running. The kid that found it would sit in the library all day just going to every directory he could, trying to run anything he could. So from what I could tell, the IT guy just fixed anything the kid broke then made it so it be harder to break. Basically he was using the kid as a one man chaos monkey.

When I was in high school a couple years ago, you could get perfectly unfiltered internet by opening Photoshop and going to the help menu (which for some reason featured a browser) and changing the url to twitter or facebook (for example, both were blocked) and just browing "through" photoshop. I have no idea to this day how it worked xD

Possibly your school was using a filtering method that was at least partially based on browser identification. For instance here at my office we have nearly unfiltered internet for IE, but some of our business applications until very recently were not compatible with anything newer than IE8. However some of our staff also had business need to use webpages that did not function under IE8, so for them we install Chrome. But our web filtration servers only allow Chrome to navigate specifically to those pages that our IT has white listed as being required for these individuals to do their job.

Pfft. Kids. In my day the internet nanny was that only major research universities had internet access, and elementary schools didn't.

It was nigh unbreakable security, that.

Not that hard. Go to a terminal farm (most of them didn't have even the most rudimentary access control) and shoulder surf until you got a uid and password. It wasn't till the mid-90's that they started locking down physical access.

Thomas Jefferson has a connotation of world-class among the parents, and preppy among the rival students.

Either way, lots of money and technology-education has gone into the area. It's good to hear the fruits of that blossoming in a way like this... Gives more incentive to maintain the existing extra-curricular programs such as FIRST Robotics.

Never underestimate the ability of a teenager to crack security. I remember back in High School one kid found a way to bypass both the state set and school set filters. It took about five minutes to actually get to the open access browser though. And our school's IT guy had it blocked by the next day.

And the next day, he got around it again? That's how it was at my school. Then again, we didn't really have much of an IT department...I was almost hired as part of it because I kept opening such holes

Nah. We had a one guy IT team. He sat in the server room all day doing who knows what sort of mysticism to keep everything running. The kid that found it would sit in the library all day just going to every directory he could, trying to run anything he could. So from what I could tell, the IT guy just fixed anything the kid broke then made it so it be harder to break. Basically he was using the kid as a one man chaos monkey.

When I was in high school a couple years ago, you could get perfectly unfiltered internet by opening Photoshop and going to the help menu (which for some reason featured a browser) and changing the url to twitter or facebook (for example, both were blocked) and just browing "through" photoshop. I have no idea to this day how it worked xD

Possibly your school was using a filtering method that was at least partially based on browser identification. For instance here at my office we have nearly unfiltered internet for IE, but some of our business applications until very recently were not compatible with anything newer than IE8. However some of our staff also had business need to use webpages that did not function under IE8, so for them we install Chrome. But our web filtration servers only allow Chrome to navigate specifically to those pages that our IT has white listed as being required for these individuals to do their job.

Oh, god, I'd die there and shoot them all to hell! Forcing people to IE8!!

Agreed. But Mr. Ajit has a long-ass way to go to repair the damage that Other Ajit has done. If you happen to be in midtown D.C. at 4:30 AM, and your BAC is tweaked just right, you can hear the squealing cries of the thousand babies the Other Ajit killed, drifting down from somewhere beyond the metropolitan-pink night sky, generally from the direct of the Ophiuchus Sagittarius constellation, or a Geminid meteor shower, if one is handy.

Godspeed, Mr. Ajit.

I'm scared you know this. Are you helping the "other"? <scowl>

I'm writing a fairly exhaustive book about Ajit Pai's time in D.C.

Its called Drenched in Blood: An Unauthorized Microbiography of Ajit Pai's Time as Commissioner of the FCC. 99 cents on Amazon. It would have been done by now, but the subject-matter I'm tasking the illustrators to depict means I'm going through illustrators at a fair clip. What's so hard about "Potomac shoreline at dusk, man up to his ankles in water wearing a suit, hands stuffing ambiguous shadowed mass to his face, obvious infant leg and arm emerging from mass." Drama llamas, the lot of them.

Its called Drenched in Blood: An Unauthorized Microbiography of Ajit Pai's Time as Commissioner of the FCC. 99 cents on Amazon. It would have been done by now, but the subject-matter I'm tasking the illustrators to depict means I'm going through illustrators at a fair clip. What's so hard about "Potomac shoreline at dusk, man up to his ankles in water wearing a suit, hands stuffing ambiguous shadowed mass to his face, obvious infant leg and arm emerging from mass." Drama llamas, the lot of them.

Drama queens indeed!

Well, I'll buy your book just so I can use to as a reminder / warning for future generations.

The story of how somebody's half-assed regex 'solution' ended up becoming the sole line of defense against wholesale theft of service is probably the stuff of which really, really, boring(but highly believable) legends are made.

For the sake of my confidence in humanity, I'm going to assume that it wasn't a one-step process; and that one person's quickie hack was unwittingly promoted to production; rather than a single person actually thinking that this was a good idea.

IME as a dev it goes like this:

"Wait, marketing wants, WHAT? That's a terrible idea. We can't do that, that's idiotic. Not to mention unethical.""Well, we have to. Even if marketing is made up of people who can barely swallow their own saliva without choking, they call the shots.""OK," *writes simplest code that will sometimes technically do what was asked* "Done, f--k them."